What should CISOs improve in their approach to risk management?

The challenge is that I'm presenting risk to the business and the business is telling me it's not real or they don't care. I’m managing around those statements, so I'm going to lock it down as best I can and make sure I secure around the environment. My job is to inform them so that they can make an informed decision. But if it's mine to manage Malcolm, most of us are doing a good job. What we're not doing is communicating and making them care.

Anonymous Author
The challenge is that I'm presenting risk to the business and the business is telling me it's not real or they don't care. I’m managing around those statements, so I'm going to lock it down as best I can and make sure I secure around the environment. My job is to inform them so that they can make an informed decision. But if it's mine to manage Malcolm, most of us are doing a good job. What we're not doing is communicating and making them care.
0 upvotes
Anonymous Author
The people who can take the most risk with the fewest consequences make the most money. So in IT, we have to be the best risk takers. But when large-scale breaches like Colonial Pipeline happen I think, "What's wrong with us as a security profession that we're not better able to take risks and manage them?" Because we're the ones who are at fault. The business is taking risks and we're doing a bad job of managing them.
0 upvotes
Anonymous Author
CISOs with a true tech bent—who came from the dev world or try to look at analytics—have a very different view of risk frameworks. Their attitude is, “I can let my compliance guy deal with it.” But how do you bridge that to your risk officer? They struggle. At some point you still have to go to your board and CFO and quantify the risk in dollars and cents.  The CISO is the tech bridge to the board. Don't expect them to be PhDs or cyber ninjas. We grew up dealing with the tech of 9/11 and all that, so we are bred in a very different way to look at a problem statement. A lot of CISOs that come from a policy, governance and tech background look at it holistically, but we look at controls, a stack, analytics and everything else for us is irrelevant. If I can see the data and quantify it, a framework doesn't mean anything. Data tells you the story. It's no longer a perception. And we don't always look at it in monetary terms. The business impact in most of our cases is missing, so what I'm seeing is a true divide.
1 upvotes